Skip to content
Permalink
Browse files

Use URL's HTTP(S) scheme concept and define rel=icon better

  • Loading branch information...
annevk authored and zcorpan committed May 26, 2016
1 parent c630787 commit a932f7dfd5e50101db47a373cee27b04ed108934
Showing with 14 additions and 12 deletions.
  1. +14 −12 source
26 source
</li>
<li>A <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#local-scheme">local scheme</dfn>
<li>A <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#network-scheme">network scheme</dfn>
<li>An <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn>
<li>The <dfn data-noexport="" data-x="concept-url-serialiser" data-x-href="https://url.spec.whatwg.org/#concept-url-serializer">URL serialiser</dfn>
<li>The <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#concept-host-parser">host parser</dfn>
<li>The <dfn data-noexport="" data-x="host serialiser" data-x-href="https://url.spec.whatwg.org/#concept-host-serializer">host serialiser</dfn>
<p>The <dfn id="ping" data-x="attr-hyperlink-ping"><code>ping</code></dfn> attribute, if present,
gives the URLs of the resources that are interested in being notified if the user follows the
hyperlink. The value must be a <span>set of space-separated tokens</span>, each of which must be a
<span>valid non-empty URL</span> whose <span data-x="concept-url-scheme">scheme</span> is "<code
data-x="">http</code>" or "<code data-x="">https</code>". <span w-nodev>The value is used by the
user agent for <span>hyperlink auditing</span>.</span></p>
<span>valid non-empty URL</span> whose <span data-x="concept-url-scheme">scheme</span> is an
<span>HTTP(S) scheme</span>. <span w-nodev>The value is used by the user agent for <span>hyperlink
auditing</span>.</span></p>

<p>The <dfn><code data-x="attr-hyperlink-rel">rel</code></dfn> attribute on <code>a</code> and
<code>area</code> elements controls what kinds of links the elements create. The attribute's value
URL</var>, ignoring tokens that fail to parse:</p>

<ol>
<li><p>If <var>ping URL</var>'s <span data-x="concept-url-scheme">scheme</span> is not "<code
data-x="">http</code>" or "<code data-x="">https</code>", then abort these steps.</p></li>
<li><p>If <var>ping URL</var>'s <span data-x="concept-url-scheme">scheme</span> is not an
<span>HTTP(S) scheme</span>, then abort these steps.</p></li>

<li><p>Optionally, abort these steps. (For example, the user agent might wish to ignore any or
all ping URLs in accordance with the user's expressed preferences.)</p></li>
<div w-nodev>

<p>In the absence of a <code>link</code> with the <code data-x="rel-icon">icon</code> keyword, for
<code>Document</code> objects obtained over HTTP or HTTPS, user agents may instead run these
steps <span>in parallel</span>:</p>
<code>Document</code> objects whose <span data-x="concept-document-url">URL</span>'s
<span data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>, user agents may
instead run these steps <span>in parallel</span>:</p>

<ol>
<li><p>Let <var>request</var> be a new <span data-x="concept-request">request</span> whose
<li><p>If <var>possibleFailure</var> is failure, throw a <code>TypeError</code>
exception.</p></li>

<li><p>If <var>copyURL</var>'s <span data-x="concept-url-scheme">scheme</span> is not "<code
data-x="">http</code>" or "<code data-x="">https</code>", terminate these steps.</p></li>
<li><p>If <var>copyURL</var>'s <span data-x="concept-url-scheme">scheme</span> is not an
<span>HTTP(S) scheme</span>, then terminate these steps.</p></li>

<li><p><span><code>Location</code>-object-setter navigate</span> to <var>copyURL</var>.</p></li>
</ol>
<p>These mechanisms can introduce a number of concerns, in particular privacy concerns.</p>

<p><strong>Hijacking all Web usage.</strong> User agents should not allow schemes that are key to
its normal operation, such as <code data-x="">http</code> or <code data-x="">https</code>, to be
rerouted through third-party sites. This would allow a user's activities to be trivially tracked,
and would allow user information, even in secure connections, to be collected.</p>
its normal operation, such as an <span>HTTP(S) scheme</span>, to be rerouted through third-party
sites. This would allow a user's activities to be trivially tracked, and would allow user
information, even in secure connections, to be collected.</p>

<p><strong>Hijacking defaults.</strong> User agents are strongly urged to not automatically change
any defaults, as this could lead the user to send data to remote hosts that the user is not

0 comments on commit a932f7d

Please sign in to comment.
You can’t perform that action at this time.